Government spyware hidden in Google Play store apps

We’ve seen malicious government cyberweapons leaked out of the National Security Agency (NSA) and injected via ransomware, but security researchers recently found government spyware squatting in plain sight, pretending to be harmless vanilla apps on Google’s Play store.

This time around, the malware doesn’t come from the NSA. Rather, it alegedly comes from the Italian government, which apparently purchased it from a company that sells surveillance cameras.

According to Motherboard, this is the first time that security researchers have seen malware produced by the surveillance company, known as eSurv.

It was discovered in a joint investigation carried out by Motherboard and researchers from Security Without Borders – a non-profit that often investigates threats against dissidents and human rights defenders.

Security Without Borders published a technical report of their findings on Friday:

We identified previously unknown spyware apps being successfully uploaded on Google Play Store multiple times over the course of over two years. These apps would remain available on the Play Store for months and would eventually be re-uploaded.

They’re calling the malware Exodus, after the name of the command and control servers the apps connected to.

The connection with Italy was apparently made due to snippets of Italian text in the code, such as mundizza, a dialect word from Calabria that means trash or garbage, and RINO GATTUSO, a famous retired footballer from Calabria, the region where eSurv is based.

Exodus’s two-part whammy

Exodus works in two stages: Exodus One and Exodus Two.

The first stage works as a decoy: the malware poses as harmless apps that do things like receive promotions and marketing offers from local Italian cellphone providers or that claim to improve the device’s performance.

But the first stage also loads and executes a payload of secondary programs – Exodus Two – that handle data collection and exfiltration.

There’s a laundry list of data that Exodus Two snorts up and sends back to its command-and-control servers, apparently including: installed apps, browsing history, contact lists from numerous apps, text messages, location data, plus app and Wi-fi passwords.

The report also says that Exodus Two can activate the camera and the microphone to capture both audio and video, as well as take screenshots of apps as they’re used.

Apparently, Exodus includes a function called CheckValidTarget function that supposedly exists to “validate” the target of a new infection, but the researchers suggest that not much “validation” is going on, given that the malware activated immediately on the burner phone they used, and stayed active throughout their tests.

Worse still, the Exodus code isn’t any good at security itself.

The spyware apparently opens up a remote command shell on infected phones, but doesn’t use any sort of encryption or authentication, so that anyone on the same Wi-Fi network as an infected device can wander in and hack it:

Binding a shell on all available interfaces will obviously make it accessible to anyone who [is on the same network as] an infected device. For example, if an infected device is connected to a public Wi-Fi network any other host will be able to obtain a terminal on the device without any form of authentication or verification by simply connecting to the port.

So not only does the spyware snoop on data, it also leaves that data open to tampering.

What good does it do law enforcement to retrieve possibly adulterated data? One of Motherboard’s sources – a police agent who’s used spyware during investigations – was particularly critical:

This, from the point of view of legal surveillance, is insane. Opening up security holes and leaving them available to anyone is crazy and senseless, even before being illegal.

A brief history of bad app-ery

Unfortunately, this is just the latest in a long string of rotten apples spoiling the Google Play store barrel.

The forcefield keeping Google Play Store pure and pollutant-free has had holes poked in it before.

For example, a few months ago, research found that 18,000 Play Store apps, many with hundreds of millions of installs, appeared to be sidestepping the Advertising ID system by quietly collecting additional identifiers from users’ smartphones in ways that couldn’t be blocked or reset.

in May 2018, SophosLabs found photo editor apps hiding malware on Google Play.

In February 2018, Google announced that just in the previous year alone, it had removed 700,000 bad apps and stopped 100,000 bad-app developers from sharing their nastyware on the Google Play store.

This recent Italian spyware case shows yet again that you don’t have to be much of an evil genius of an app developer to get past Google’s filters. As Motherboard reports, more than 20 malicious apps in the Exodus family went unnoticed by Google over the course of roughly two years.

Google confirmed to Security Without Borders that it’s removed all of the Exodus apps. Google said that most of the apps collected a few dozen installations each, though one of them reached over 350.

All of the downloads happened in Italy.